Firewall Wizards mailing list archives
Re: w00w00 on AIM Filter (Backdoors & SpyWare)
From: Chad Schieken <cschieken () lucent com>
Date: Wed, 09 Jan 2002 08:01:45 -0500
Looks like we have a new form of attack. It seems akin the types of "semantic" attacks that Bruce Schneier talked about. Here the attacker publishes a vulnerability in a piece of widely used software, and points to another piece of software as the "solution". The solution contains the exploit code.
ouch! I got bit by this one (well, I downloaded installed and attempted to use AIM Filter). I was proud of myself for quickly implementing the "fix". Ugh.
Exactly how does a firewall protect against this type of attack? At 03:43 PM 1/8/2002, you wrote:
BugTraq readership:
It has recently come to our attention that AIM Filter, which we
recommended as an appropriate temporary solution for the AIM
buffer overflows we published, actually contains backdoors and
spyware. This became obvious when the source was released on
January 5th, 2002.
At the time, Robbie Saunders' AIM Filter seemed like a nice
temporary solution. Unfortunately, it instead produces cash-paid
click-throughs over time intervals and contains backdoor code
combined with basic obfuscation to divulge system information and
launch several web browsers to porn sites. We only took the time
to verify that it blocked the attack, since an analysis of AIM
filter wasn't our priority. Mea culpa.
In the meantime, we've cleaned up the AIM Filter code and produced
a modified version available on our website, and we've removed all
the backdoors and spyware. For those of you who are still
interested in using the software, we strongly recommend you use
this modified version instead. You will find it at:
http://www.w00w00.org/files/w00aimfilter.zip
We apologize to the security community at large for this mistake.
However, we think this is a very apt example of why closed-source
programs can be deadly. You never know for sure what lurks under
the hood of a binary executable, and of course U.S. Law (DMCA)
forbids you from trying to find out. Once again, disclosure is
your best friend.
We urge readers to find out more about the DMCA at
http://www.anti-dmca.org/.
We would also like to take this opportunity to provide updated
reference information on the original AIM vulnerability, which has
now been assigned a CVE Candidate ID: CVE-2002-0005.
--jordan and the w00w00 Security Team
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: w00w00 on AIM Filter (Backdoors & SpyWare) Chad Schieken (Jan 09)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Joseph S D Yao (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) M. Dodge Mumford (Jan 11)
- <Possible follow-ups>
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Carl Friedberg (Jan 10)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Frank Knobbe (Jan 12)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)